Last modified: 2014-11-15 00:18:40 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T72584, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 70584 - Security review of GlobalUserPage extension
Security review of GlobalUserPage extension
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
GlobalUserPage (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks: 70576
  Show dependency treegraph
 
Reported: 2014-09-08 21:37 UTC by Kunal Mehta (Legoktm)
Modified: 2014-11-15 00:18 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Kunal Mehta (Legoktm) 2014-09-08 21:37:52 UTC

    
Comment 1 MZMcBride 2014-11-04 05:16:30 UTC
I'm a bit confused about the status of this bug. Should it be marked assigned? Does Chris have time to do this?
Comment 2 Chris Steipp 2014-11-14 23:37:23 UTC
Sorry for the delay on this.

Minor nitpick: The default central wiki is an http link, can you make that https, so we encourage that?

That ties into the bigger issue with the extension-- The security of the each wiki becomes even more tied to that of the central wiki, since the parse is happening on the remote wiki. So we definitely want to be sure we're talking to the right remote server. But it also opens up some potential attacks that we haven't really had to deal with before.

For example:
* Someone who can add raw html to a page/template/message on the central wiki can add javascript to the local wiki, for any user.
* If a url is blacklisted on the local wiki, but isn't blacklisted on the central wiki, a user can add it centrally and it gets rendered by the local wiki.
* A local wiki oversighter can't delete/suppress content on the user page if they don't also have rights on the central wiki.

Inside the WMF cluster, I don't think these will have a major impact, but I think https://www.mediawiki.org/wiki/Extension:GlobalUserPage should at least document that enabling this on a wiki means you totally trust the central wiki and the admins there.
Comment 3 Kunal Mehta (Legoktm) 2014-11-15 00:01:05 UTC
(In reply to Chris Steipp from comment #2)
> Sorry for the delay on this.
> 
> Minor nitpick: The default central wiki is an http link, can you make that
> https, so we encourage that?

https://gerrit.wikimedia.org/r/173461

> That ties into the bigger issue with the extension-- The security of the
> each wiki becomes even more tied to that of the central wiki, since the
> parse is happening on the remote wiki. So we definitely want to be sure
> we're talking to the right remote server. But it also opens up some
> potential attacks that we haven't really had to deal with before.

Yup, though I don't think this extension is opening up any new attack vectors (just new locations) since we already have things like CentralNotice and ForeignFileRepo. 


> For example:
> * Someone who can add raw html to a page/template/message on the central
> wiki can add javascript to the local wiki, for any user.
> * If a url is blacklisted on the local wiki, but isn't blacklisted on the
> central wiki, a user can add it centrally and it gets rendered by the local
> wiki.
> * A local wiki oversighter can't delete/suppress content on the user page if
> they don't also have rights on the central wiki.

They could create a blank userpage and full protect it to get rid of the globaluserpage (assuming oversighter > sysop).


> Inside the WMF cluster, I don't think these will have a major impact, but I
> think https://www.mediawiki.org/wiki/Extension:GlobalUserPage should at
> least document that enabling this on a wiki means you totally trust the
> central wiki and the admins there.

https://www.mediawiki.org/w/index.php?title=Extension%3AGlobalUserPage&diff=1262378&oldid=1141449

Do you want me to expand on the warning with specific examples?
Comment 4 Chris Steipp 2014-11-15 00:18:19 UTC
(In reply to Kunal Mehta (Legoktm) from comment #3)
> (In reply to Chris Steipp from comment #2)
> https://www.mediawiki.org/w/index.
> php?title=Extension%3AGlobalUserPage&diff=1262378&oldid=1141449
> 
> Do you want me to expand on the warning with specific examples?

Good enough, thanks!

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links